b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n     Information Technology Management Letter for the \n\n         FY 2009 Immigration Customs Enforcement \n\n                  Financial Integrated Audit \n\n\n\n\n\nOIG-10-87                                         May 2010\n\x0c                                                                                Office of Inspector General\n\n                                                                     U.S. Department of Homeland Security\n                                                                                   Washington, DC 25028\n\n\n\n\n                                         May 18, 2010\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2009\nImmigration and Custom Enforcement (ICE) financial statement audit as of September 30, 2009.\nIt contains observations and recommendations related to information technology internal control\nthat were summarized in the Independent Auditors\xe2\x80\x99 Report, dated December 18, 2009 and\npresents the separate restricted distribution report mentioned in that report. The independent\naccounting firm KPMG LLP (KPMG) performed the audit procedures at ICE in support of the\nDHS FY 2009 financial statements and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated April 1, 2010, and the conclusions\nexpressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or internal control or\nconclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                Frank Deffer \n\n                                Assistant Inspector General for \n\n                                Information Technology Audits\n\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\n\n\nApril 1, 2010\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nImmigration and Customs Enforcement\n\nLadies and Gentlemen:\nWe have audited the consolidated balance sheet of the Immigration and Customs Enforcement\n(ICE), a component of the U.S. Department of Homeland Security (DHS), as of September 30, 2009\nand the related consolidated statements of net cost, changes in net position, and the combined\nstatement of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for\nthe year then ended. In planning and performing our audit of the consolidated financial statements\nof ICE, in accordance with auditing standards generally accepted in the United States of America,\nwe considered ICE\xe2\x80\x99s internal control over financial reporting (internal control) as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated\nfinancial statements but not for the purpose of expressing an opinion on the effectiveness of ICE\xe2\x80\x99s\ninternal control. Accordingly, we do not express an opinion on the effectiveness of ICE\xe2\x80\x99s internal\ncontrol.\nIn planning and performing our fiscal year 2009 audit, we considered ICE\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the design effectiveness of ICE\xe2\x80\x99s internal\ncontrol, determining whether internal controls had been placed in operation, assessing control risk,\nand performing tests of controls as a basis for designing our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements. To achieve this purpose, we did\nnot test all internal controls relevant to operating objectives as broadly defined by the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to express an\nopinion on the effectiveness of ICE\xe2\x80\x99s internal control over financial reporting. Accordingly, we do\nnot express an opinion on the effectiveness of ICE\xe2\x80\x99s internal control over financial reporting.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis.\nOur audit of ICE as of, and for the year ended, September 30, 2009 disclosed a material weakness in\nthe areas of information technology (IT) configuration management, security management, access\ncontrols, and segregation of duties. These matters are described in the IT General Control Findings\nby Audit Area section of this letter.\n\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0cThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 18, 2009. This letter represents the separate restricted distribution letter mentioned in\nthat report.\nThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through a Notice of Finding and Recommendation (NFR). Our\naudit procedures are designed primarily to enable us to form an opinion on the consolidated\nfinancial statements, and therefore may not bring to light all weaknesses in policies or procedures\nthat may exist. We aim to use our knowledge of ICE gained during our audit engagement to make\ncomments and suggestions that are intended to improve internal control over financial reporting or\nresult in other operating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key ICE financial systems and IT infrastructure within the scope of the FY 2009 ICE\nconsolidated financial statement audit in Appendix A; a description of each internal control finding\nin Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments related\nto certain additional matters have been presented in a separate letter to the Office of Inspector\nGeneral and the ICE Chief Financial Officer dated December 9, 2009.\n\nThis communication is intended solely for the information and use of DHS and ICE management,\nDHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified\nparties.\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n                   INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                       TABLE OF CONTENTS\n\n                                                                                                      Page\nObjective, Scope and Approach \n\n                                                                                                       1\n \n\nSummary of Findings and Recommendations \n\n                                                                                                       3\n \n\nIT General Control Findings by Audit Area \n\n                                                                                                       4\n\n Findings Contributing to a Material Weakness in IT \n\n                                                                                                       4\n\n       Configuration Management \n\n                                                                                                       4\n\n       Security Management (includes After-Hours Physical Security Testing) \n\n                                                                                                       4\n \n\n       Access Controls                                                                                 5\n \n\n                                                                                                       5\n \n\n       Segregation of Duties\n\n\n\nApplication Controls\n                                                                                                       9\n\n\nManagement\xe2\x80\x99s Comments and OIG Response                                                                 9\n\n\n                                           APPENDICES\n \n\n\nAppendix                                           Subject                                            Page\n\n           Description of Key ICE Financial Systems and IT Infrastructure within the Scope of the \n\n   A                                                                                                    10\n           FY 2009 DHS Financial Statement Audit Engagement\n\n   B       FY 2009 Notices of IT Findings and Recommendations at ICE                                    12\n \n\n\n               -   Notice of Findings and Recommendations \xe2\x80\x93 Definition of \n\n                   Severity Ratings                                                                     13\n \n\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison to \n\n   C\n           Current Year Notices of Findings and Recommendations at ICE                                  19\n \n\n\n\n   D       Management\xe2\x80\x99s Comments \n\n                                                                                                        21\n\n\n   E       Report Distribution                                                                          22 \n\n\x0c                              Department of Homeland Security\n \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n                     OBJECTIVE, SCOPE AND APPROACH\n\nWe have audited the Immigration and Custom Enforcement (ICE) agency\xe2\x80\x99s balance sheet as of\nSeptember 30, 2009. In connection with our audit of ICE\xe2\x80\x99s balance sheet, we performed an\nevaluation of information technology general controls (ITGC), to assist in planning and performing\nour audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the\nGovernment Accountability Office (GAO), formed the basis of our ITGC evaluation procedures.\nThe scope of the ITGC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of\nthe financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the general IT controls environment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n   information system resources (software programs and hardware configurations) and provides\n   reasonable assurance that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\n\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over key financial application\ncontrols in the ICE environment. The technical security testing was performed both over the\nInternet and from within select ICE facilities, and focused on test, development, and production\ndevices that directly support key general support systems.\n\n\n\n\n                                         1\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                              Department of Homeland Security\n \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n\nIn addition to testing ICE\xe2\x80\x99s general control environment, we performed application control tests on\na limited number of ICE\xe2\x80\x99s financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n   \xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and\n      procedures that apply to separate, individual application systems, such as accounts payable,\n      inventory, or payroll.\n\n\n\n\n                                         2\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                              Department of Homeland Security\n \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n         SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring fiscal year (FY) 2009, ICE took corrective action to address prior year IT control\nweaknesses. For example, ICE made improvements over tracking and maintaining Active\nDirectory Exchange (ADEX) user access forms and securing its backup facility from unauthorized\naccess. However, during FY 2009, we continued to identify IT general control weaknesses that\ncould potentially impact ICE\xe2\x80\x99s financial data. The most significant weaknesses from a financial\nstatement audit perspective related to controls over the Federal Financial Management System\n(FFMS) and the weaknesses over physical security and security awareness. Collectively, the IT\ncontrol weaknesses limited ICE\xe2\x80\x99s ability to ensure that critical financial and operational data were\nmaintained in such a manner to ensure confidentiality, integrity, and availability. In addition, these\nweaknesses negatively impacted the internal controls over ICE financial reporting and its operation\nand we consider them to collectively represent a material weakness for ICE under standards\nestablished by the American Institute of Certified Public Accountants (AICPA). In addition, based\nupon the results of our test work, we noted that ICE did not fully comply with the requirements of\nthe Federal Financial Management Improvement Act (FFMIA).\nOf the 14 findings identified during our FY 2009 testing, all were new IT findings. These findings\nrepresent weaknesses in four of the five FISCAM key control areas. Specifically these weakness\nare: 1) unverified access controls through the lack of comprehensive user access privilege re\xc2\xad\ncertifications, 2) security management issues involving staff security training, exit processing\nprocedures and contractor background investigation weaknesses, 3) inadequately designed and\noperating configuration management, and 4) lack of effective segregation of duties controls within\nfinancial applications. These weaknesses may increase the risk that the confidentiality, integrity,\nand availability of system controls and ICE financial data could be exploited thereby compromising\nthe integrity of financial data used by management and reported in ICE\xe2\x80\x99s financial statements.\nWhile the recommendations made by KPMG should be considered by ICE, it is the ultimate\nresponsibility of ICE management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                         3\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                               Department of Homeland Security\n \n\n                            Immigration and Customs Enforcement \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n           IT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nFindings Contributing to a Material Weakness Deficiency in IT\n\nDuring the FY 2009 financial statement audit, we identified the following IT and financial system\ncontrol deficiencies that in the aggregate are considered a material deficiency:\n\n1.      Configuration Management \xe2\x80\x93 we identified:\n\n        \xef\xbf\xbd\t Security configuration management weaknesses on ADEX. These weaknesses included\n           default configuration settings, inadequate patches, and weak password management.\n\n2.      Security Management \xe2\x80\x93 we identified:\n\n        \xef\xbf\xbd\t During social engineering testing, 5 out of 20 staff provided their login and password.\n        \xef\xbf\xbd\t Physical security weaknesses which identified improper protection of system user\n           names and passwords, unsecured information security hardware, documentation\n           containing Personally Identifiable Information (PII) or marked \xe2\x80\x9cFor Official Use Only\xe2\x80\x9d,\n           and unlocked network sessions. The specific results are listed below:\n\n\n                                              ICE Locations Tested\n                                   OFM            OCIO PCN         OCFO PCN           Total\n                                TechWorld          3rd floor        4th floor     Exceptions by\n         Exceptions Noted        10th floor                                           Type\n     User Name and                   19                3               4               26\n     Passwords\n     For Official Use Only           1                 2               1               4\n     (FOUO)\n     Keys/Badges                     0                 1               1                2\n     Personally Identifiable        13                 2               0               15\n     Information (PII)\n     Server Names/IP                 0                 2               0               2\n     Addresses\n     Laptops                         1                  2               0              3\n     External Drives                 2                  3               1              6\n     Credit Cards                    1                  0               0              1\n     Classified Documents            0                  0               0              0\n     Other - Describe            1 personal       1 workstation   1 workstation        3\n                                 checkbook        logged in w\\o   logged in w\\o\n                                                   screensaver     screensaver\n                                                    activated       activated\n     Total Exceptions by            38                 16               8              62\n     Location\n\n\n\n                                         4\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                                 Department of Homeland Security\n \n\n                              Immigration and Customs Enforcement \n\n                             Information Technology Management Letter\n                                        September 30, 2009\n\n          \xef\xbf\xbd\t Procedures for transferred and terminated personnel exit processing are not being\n             consistently followed.\n          \xef\xbf\xbd\t Background reinvestigations for contractors were not consistently performed.\n          \xef\xbf\xbd\t IT Security training is not mandatory nor is compliance monitored.\n\n3.\t Access controls \xe2\x80\x93 we identified:\n\n       \xef\xbf\xbd\t A lack of recertification of ADEX and FFMS system users.\n       \xef\xbf\xbd\t ADEX account lockout settings are not compliant with DHS policy.\n       \xef\xbf\xbd\t ADEX system access was not consistently removed for terminated employees and\n          contractors.\n       \xef\xbf\xbd\t FFMS password settings are not compliant with DHS policy.\n       \xef\xbf\xbd\t Physical security personnel are not adequately trained to detect non-conforming credentials\n          that can be used to gain unauthorized access.\n\n4.\t Segregation of Duties \xe2\x80\x93 we identified:\n\n       \xef\xbf\xbd\t FFMS roles and responsibilities for the Originator, Funds Certification Official, and \n\n          Approving Official profiles were not effectively segregated. \n\n\nRecommendations: We recommend that the ICE Chief Information Officer (CIO) and Chief\nFinancial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the\nDHS Office of the Chief Information Officer, make the following improvements to ICE\xe2\x80\x99s financial\nmanagement systems and associated information technology security program.\nConfiguration Management:\n1. \t       Redistribute procedures and train employees on continuously monitoring and mitigating\n           vulnerabilities. In addition, we recommend that ICE periodically monitor the existence of\n           unnecessary services and protocols running on their servers and network devices, in\n           addition to deploying patches.\n2. \t       Perform vulnerability assessments and penetration tests on all offices of the ICE, from a\n           centrally managed location with a standardized reporting mechanism that allows for\n           trending, on a regularly scheduled basis in accordance with NIST guidance.\n3. \t       Develop a more thorough approach to track and mitigate configuration management and\n           resource vulnerabilities identified during monthly scans. ICE should monitor the\n           vulnerability reports for necessary or required configuration changes to its environment.\n4. \t       Develop a process to verify that systems identified with \xe2\x80\x9cHIGH/MEDIUM Risk\xe2\x80\x9d\n           configuration vulnerabilities do not appear on subsequent monthly vulnerability scan\n           reports, unless they are verified and documented as a false-positive. All risks identified\n           during the monthly scans should be mitigated immediately, and not be allowed to remain\n           dormant.\n5. \t       Implement the corrective actions identified during the audit vulnerability assessment.\n\n\n                                         5\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                                  Department of Homeland Security\n \n\n                               Immigration and Customs Enforcement \n\n                              Information Technology Management Letter\n                                         September 30, 2009\n\nSecurity Management:\n\n1.\t \t       Ensure that users are trained and aware of safeguarding login credentials, locking network\n            sessions to DHS systems, and locking any sensitive information, media containing sensitive\n            information, or data not suitable for public dissemination in secure locations when not in\n            use.\n\n2. \t        Effectively limit access to DHS buildings, rooms, work areas, spaces, and structures\n            housing IT systems, equipment, and data to authorized personnel.\n\n3.\t \t       Adhere to exit clearance procedures and require personnel to follow them in the event of\n            transfer\\termination.\n\n4.\t \t       Periodically review personnel files to confirm background reinvestigations have been\n            completed in accordance with DHS standards.\n\n5. \t        Implement mandatory requirements for IT security personnel to complete training\n            consistent with their job function duties.\n\n6. \t        Remove system access for personnel that are not in compliance with training requirements.\n            In addition, document procedures regarding disabling user accounts and access privileges in\n            accordance with DHS policy.\n\nAccess Controls:\n\n        1.\t \t Establish and implement policies and procedures for recertification of system user\n              privileges. This process should include a method to document user recertification and a\n              process to maintain evidence of the reviews.\n\n        2.\t Develop processes for the removal of transferred and terminated users within ADEX upon\n            their separation.\n\n        3.\t Modify ADEX lockout settings to comply with DHS policy.\n\n        4.\t Update FFMS password configuration settings to comply with DHS policy.\n\n        5.\t \t Train physical security personnel to recognize DHS issued identification and to deter non\xc2\xad\n              conforming credentials.\n\nSegregation of Duties:\n\n        1.\t Enforce policies and procedures to ensure that assigned roles and responsibilities are\n            commensurate with personnel job functions.\n\n\n\n\n                                         6\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                               Department of Homeland Security\n \n\n                            Immigration and Customs Enforcement \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\nCause\\Effect:\n\nThe ICE agency is not continuously monitoring the ICE ADEX General Support System (GSS)\nvulnerability assessment scans for patch and configuration management vulnerabilities. As a result,\ndefault configuration installations and unnecessary services operating on the ICE ADEX devices\nincrease the ability to compromise the availability, integrity, and confidentiality of financial data on\nthe network. Additionally, failure to apply critical vendor security patches exposes system and\nnetwork devices to new and existing vulnerabilities. This can expose the information system\ncontrols environment to security breaches, unauthorized access, service interruptions, and denial of\nservice attacks.\n\nICE management has not ensured that personnel are adequately trained and aware of the basic IT\nsecurity policies described by DHS to ensure that system users are cognizant of computer security\nprinciples. Without proper training and awareness, system users could potentially provide\nunauthorized persons information to gain access to ICE resources and sensitive data that may result\nin loss, damage, or theft.\n\nICE management has not ensured that personnel are adequately trained and aware of the basic IT\nsecurity policies described by DHS and ICE to protect their login credentials, lock network sessions\nto DHS systems, secure information system hardware, and securely store/limit access to FOUO and\nPII. The failure to control access to sensitive IT resources and ICE documentation could potentially\nresult in the theft or destruction of ICE assets, unauthorized access to sensitive information, and\ndisruptions in processing of ICE financial systems. Additionally, ICE personnel who are not\nadequately trained to protect their login credentials present an increased risk of unauthorized access\nto sensitive information from external and internal threats.\n\nICE personnel are not consistently complying with, or are unaware of, existing exit clearance\nprocedures. By not having a more efficient process by which personnel are made aware of\nterminated or transferred employees, ICE\xe2\x80\x99s IT environment could be significantly impacted as these\nstaff maintain unauthorized access or resources.\n\nDue to lack of management oversight, background investigations are not initiated in a timely\nmanner. By allowing personnel access to organization information and information systems without\nproper adjudication increases the risk of improper handling of sensitive information.\n\nICE management has not expended the time and resources necessary to formally document access\nreview and recertification procedures for system user accounts and access privileges. Because\naccess review and recertification procedures are not formally documented, reviewers do not have a\nstandard for effectively conducting the recertification of FFMS accounts. This could lead to the\nrisk of potentially allowing users to have account privileges that are no longer needed, or should not\nhave been initially granted.\n\nICE management had not taken sufficient measures to ensure that financial system users comply\nwith established policies related to the proper segregation of duties. Without enforcing compliance\nwith proper segregation of duties, management is not able to maintain an effective control\nenvironment. The failure to segregate the initiation and approval of transactions on business\napplications results in an increased risk that transactions may be inappropriately executed.\n                                                    7\n\n Information Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                             Department of Homeland Security\n \n\n                          Immigration and Customs Enforcement \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the\nElectronic Government Act of 2002, mandates that Federal entities maintain IT security programs in\naccordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal\nInformation Resources, and various NIST guidelines describe specific essential criteria for\nmaintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and\nstandards for executive departments and agencies to follow in developing, operating, evaluating,\nand reporting on financial management systems. The purpose of FFMIA is: (1) to provide for\nconsistency of accounting by an agency from one fiscal year to the next, and uniform accounting\nstandards throughout the Federal Government; (2) require Federal financial management systems to\nsupport full disclosure of Federal financial data, including the full costs of Federal programs and\nactivities; (3) increase the accountability and credibility of federal financial management; (4)\nimprove performance, productivity and efficiency of Federal Government financial management;\nand (5) establish financial management systems to support controlling the cost of Federal\nGovernment. In closing, for this year\xe2\x80\x99s IT audit we assessed the DHS component\xe2\x80\x99s compliance\nwith DHS Sensitive System Policy Directive 4300A.\n\n\n\n\n                                         8\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                              Department of Homeland Security\n \n\n                           Immigration and Customs Enforcement \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n\n                      APPLICATION CONTROLs FINDINGS\n\nWe did not identify any findings in the area of application controls during the fiscal year 2009 ICE\naudit engagement.\n\n\n            MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the Immigration and Customs\nEnforcement management. Generally, the ICE management agreed with all of our findings and\nrecommendations. The ICE management has developed a remediation plan to address these\nfindings and recommendations. We have included a copy of the comments in Appendix D.\n\n\nOIG Response\n\n\nWe agree with the steps that ICE management is taking to satisfy these recommendations.\n\n\n.\n\n\n\n\n                                             9\n\n    Information Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                                                                          Appendix A\n                         Department of Homeland Security\n \n\n                      Immigration and Customs Enforcement \n\n                     Information Technology Management Letter\n                                September 30, 2009\n\n\n\n\n                                  Appendix A\n\n\nDescription of Key ICE Financial Systems and IT Infrastructure\nwithin the Scope of the FY 2009 DHS Financial Statement Audit\n\n\n\n\n                                         10\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Statement Audit\n\x0c                                                                                  Appendix A\n                            Department of Homeland Security\n                         Immigration and Customs Enforcement\n                        Information Technology Management Letter\n                                   September 30, 2009\n\nBelow is a description of significant Immigration and Custom Enforcement (ICE) financial\nmanagement systems and supporting information technology (IT) infrastructure included in the\nscope of ICE\xe2\x80\x99s fiscal year (FY) 2009 Financial Statement Audit.\n\n\nLocations of Review: ICE Headquarters, Washington, DC; The Burlington Finance Center (BFC),\nBurlington, VT; Department of Commerce (DOC) Office of Computer Services (OCS), Springfield,\nVA.\n\n\nSystems Subject to Audit:\n\xef\xbf\xbd\t Federal Financial Management System (FFMS): It is used to create and maintain a record of\n   each allocation, commitment, obligation, travel advance and accounts receivable issued. It is\n   the system of record for the agency and supports all internal and external reporting\n   requirements.\n\n\xef\xbf\xbd\t ICE Network: The ICE Network, also know as the Active Directory/Exchange (ADEX) E-mail\n   System, is the general support system (GSS) for ICE and other DHS components.\n\n\n\n\n                                         11\n \n\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                           Appendix B\n                          Department of Homeland Security\n \n\n                       Immigration and Customs Enforcement \n\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n\n\n                                   Appendix B \n\n FY 2009 Notices of IT Findings and Recommendations at ICE \n\n\n\n\n\n                                         12\n \n\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                     Appendix B\n                                Department of Homeland Security\n                             Immigration and Customs Enforcement\n                            Information Technology Management Letter\n                                       September 30, 2009\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe Department of Homeland Security (DHS) Consolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial\n      2 \xe2\x80\x93 Less significant\n      3 \xe2\x80\x93 More significant\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese rating are provided only to assist ICE in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                         13\n \n\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                                 Appendix B\n                                                   Department of Homeland Security\n \n\n                                                Immigration and Customs Enforcement \n\n                                               Information Technology Management Letter\n                                                          September 30, 2009\n\n                                                  FY 2009 Information Technology\n                                      Notification of Findings and Recommendations \xe2\x80\x93 Detail\n                                                                                                                        New     Repeat   Severity\nNFR #                          Condition                                           Recommendation\n                                                                                                                        Issue    Issue    Rating\nICE-IT\xc2\xad   We accessed ICE facilities located at the Tech World       We recommend that ICE train physical security       X                  2\n 09-11    Building on 800 K Street and the PCN Tower on 500          personnel to recognize DHS issued identification\n          and 12th Street without the use of DHS issued              or credentials and detect non-conforming\n          credentials. Moreover, we overtly presented non\xc2\xad           credentials.\n          government issued identification to building security\n          and was then granted physical access to the facilities.\n\nICE-IT\xc2\xad   Ineffective/non-compliant account lockout counter          The Enterprise Operations Division of the OCIO      X                  2\n 09-12    settings During the FY09 audit, KPMG inquired of           adjusted the lockout settings after they were\n          ICE OCIO personnel about ADEX account settings,            informed by us of the discrepancy.          No\n          reviewed the account lockout settings, and inspected       recommendation given.\n          ICE\xe2\x80\x99s logical access polices and found that the\n          account lockout settings for ADEX was not compliant\n          with DHS policy.        DHS policy requires that the\n          system is to lock user accounts after three consecutive\n          invalid login attempts within a 24 hour period.\n          However, within ADEX, the number of invalid\n          attempts to access the system resets to zero after 30\n          minutes if up to two invalid access attempts are made.\n          Therefore, several attempts can initiated as long as the\n          user waits 30 minutes before attempting again.\n\nICE-IT\xc2\xad   We determined that the FFMS password settings              We recommend that ICE update the FFMS               X                  2\n 09-13    require the use of an underscore and does not allow        password configuration settings to be in\n          the use of any other special characters such as !, @, #,   compliance with DHS 4300A policies.\n          $, %, or *, which is not compliant with DHS policy.\n          The DHS policy requires that passwords contain a\n          combination of alphabetic, numeric, and special\n          characters.\n\n\n                                                           14\n                  Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                                    Appendix B\n                                                   Department of Homeland Security\n \n\n                                                Immigration and Customs Enforcement \n\n                                               Information Technology Management Letter\n                                                          September 30, 2009\n\n                                                                                                                           New     Repeat   Severity\nNFR #                          Condition                                            Recommendation\n                                                                                                                           Issue    Issue    Rating\n\n\n\n\nICE-IT\xc2\xad   We identified that the ADEX user recertification           We recommend that ICE management establish             X                  2\n 09-14    process is not designed appropriately. Specifically, we    and implement policies and procedures for\n          noted a lack of formal policy and procedure for            recertification of ADEX user privileges. This\n          managing the periodic review of ADEX general user          process should include a method to document user\n          access. In addition, the informal process contingent       recertification and a process to maintain evidence\n          upon personnel\xe2\x80\x99s annual completion of the                  of the reviews.\n          Information Assurance Awareness Training (IAAT) as\n          a mitigating control for ensuring a review of users\xe2\x80\x99\n          access on a periodic basis is insufficient.\n\nICE-IT\xc2\xad   We inquired of ICE OCIO personnel about the process        We recommend that ICE management establish             X                  2\n 09-15    for recertifying FFMS user access (review of access        and implement policies and procedures for\n          privileges) and found that this process is not formally    recertification of FFMS user privileges. This\n          documented. Furthermore, we identified that the            process should include a method to document user\n          review for the access privileges for each FFMS             recertification and a process to maintain evidence\n          account is not adequately recorded and no audit trail is   of the reviews.\n          available to support that a recertification was\n          completed.\n\nICE-IT\xc2\xad   We determined that weaknesses exist over ADEX              We recommend ICE management develop                    X                  2\n 09-16    access. Specifically, we found that 14 users, which        processes for the removal of transferred/terminated\n          were separated from ICE, still had active ADEX             users within ADEX upon their separation.\n          accounts that were not removed upon their\n          termination/transfer.\n\n\n\n\n                                                           15\n                  Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                                 Appendix B\n                                                  Department of Homeland Security\n \n\n                                               Immigration and Customs Enforcement \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                        New     Repeat   Severity\nNFR #                          Condition                                          Recommendation\n                                                                                                                        Issue    Issue    Rating\nICE-IT\xc2\xad   We performed an inspection of a listing of FFMS           We recommend that ICE enforce policies and           X                  2\n 09-17    users and their assigned roles/responsibilities and       procedures to ensure that assigned roles and\n          determined that 6 users had Originator, Funds             responsibilities are commensurate with personnel\n          Certification Official, and Approving Official profiles   job functions.\n          that were in violation of FFMS segregation of duties\n          policies.\n\nICE-IT\xc2\xad   We identified that background reinvestigations are not    We recommend ICE management periodically             X                  2\n 09-18    conducted in a timely manner. We performed an             review personnel files to confirm background\n          inspection of a sample of ICE personnel requiring         reinvestigations have been completed in\n          reinvestigations during the fiscal year and of the 25     accordance with DHS standards.\n          ICE employees sampled, evidence of background\n          reinvestigations during FY 2009 could not be provided\n          for 16 contractors.\n\nICE-IT\xc2\xad   We performed an inspection of a sample of personnel       We recommend ICE management adhere to exit           X                  2\n 09-19    that had terminated/transferred from their employment     clearance procedures and require personnel to\n          with ICE during the fiscal year. We requested             follow them in the event of transfer/termination.\n          evidence that exit clearance forms were completed for\n          each employee to determine ICE management\xe2\x80\x99s\n          compliance with exit clearance procedures. Of the 25\n          terminated/transferred ICE personnel sampled,\n          evidence of compliance with exit clearance procedures\n          could not be provided for 12 employees.\n\nICE-IT\xc2\xad   We determined that ICE lacks policies and procedures      We recommend that ICE management implement           X                  2\n 09-20    requiring completion of a training program by             mandatory requirements for IT security personnel\n          personnel in IT security positions.                       to complete training consistent with their job\n                                                                    function duties.\n\n\n\n\n                                                           16\n                  Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n \n\n                                               Immigration and Customs Enforcement \n\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                          New     Repeat   Severity\nNFR #                          Condition                                          Recommendation\n                                                                                                                          Issue    Issue    Rating\nICE-IT\xc2\xad   During the internal vulnerability assessment efforts of                                                          X                  2\n 09-21    ICE\xe2\x80\x99s network servers and systems we identified           In addition to addressing the specific\n          several High/ Medium Risk vulnerabilities, related to     vulnerabilities identified in the condition, ICE\n                                                                    should:\n          configuration management. We determined that\n          security configuration management weaknesses (i.e.,       \xef\xbf\xbd    Redistribute procedures and train employees\n          missing security patches and incorrect configuration           on continuously monitoring and mitigating\n          settings) exist on hosts supporting the ICE.                   vulnerabilities. In addition, we recommend\n                                                                         that ICE periodically monitor the existence of\n                                                                         unnecessary services and protocols running\n                                                                         on their servers and network devices, in\n                                                                         addition to deploying patches.\n                                                                    \xef\xbf\xbd    Perform vulnerability assessments and\n                                                                         penetration tests on all offices of the ICE,\n                                                                         from a centrally managed location with a\n                                                                         standardized reporting mechanism that\n                                                                         allows for trending, on a regularly scheduled\n                                                                         basis in accordance with NIST guidance.\n                                                                    \xef\xbf\xbd    Develop a more thorough approach to track\n                                                                         and mitigate configuration management\n                                                                         vulnerabilities identified during monthly\n                                                                         scans. ICE should monitor the vulnerability\n                                                                         reports     for    necessary    or    required\n                                                                         configuration changes to their environment.\n                                                                    \xef\xbf\xbd    Develop a process to verify that systems\n                                                                         identified with \xe2\x80\x9cHIGH/MEDUIM Risk\xe2\x80\x9d\n                                                                         configuration vulnerabilities do not appear on\n                                                                         subsequent monthly vulnerability scan\n                                                                         reports, unless they are verified and\n                                                                         documented as a false-positive. All risks\n                                                                         identified during the monthly scans should be\n\n\n\n                                                           17\n                  Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n \n\n                                              Immigration and Customs Enforcement \n\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                        New     Repeat   Severity\nNFR #                          Condition                                         Recommendation\n                                                                                                                        Issue    Issue    Rating\n                                                                        mitigated immediately, and not be allowed to\n                                                                        remain dormant.\n\n\n\nICE-IT\xc2\xad   During our after hours physical testing, we identified   KPMG recommends that ICE management                   X                  2\n 09-22    26 passwords, 4 For Official Use Only Violations , 2     implement processes to:\n          unsecured ID badges/keys, 15 Personally Identifiable         \xef\xbf\xbd Ensure that users are trained and aware of\n          Information violations, 2 server names/IP addresses, 3            safeguarding login credentials, locking\n          unsecured laptops, 6 unsecured external drives, 1                 network sessions to DHS systems, and\n          unsecured credit card, and 2 users logged into a                  locking any sensitive information, media\n          system without an active screen saver set.                        containing sensitive information, or data\n                                                                            not suitable for public dissemination in\n                                                                            secure locations when not in use.\n                                                                       \xef\xbf\xbd Effectively limit access to DHS buildings,\n                                                                            rooms, work areas, spaces, and structures\n                                                                            housing IT systems, equipment, and data\n                                                                            to authorized personnel\nICE-IT\xc2\xad   We identified that the IT security awareness training    We recommend ICE management to:                       X                  2\n 09-23    requirements are not enforced. Of the population of        \xef\xbf\xbd       Remove system access for personnel that\n          staff that had not taken the training by the ICE                   are not in compliance with training\n          deadline of 6/1/09, we determined that 3 employees                 requirements.\n          still maintained system access.         Additionally,    \xef\xbf\xbd Document procedures regarding the disabling\n          procedures are not in place to disable user accounts         of user accounts and access privileges in\n          and access privileges if annual training is not              accordance with DHS policies for employees\n          completed.                                                   not in compliance.\n\n\n\n\n                                                           18\n                  Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                           Appendix C\n                          Department of Homeland Security\n\n                       Immigration and Customs Enforcement \n\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n\n\n                                  APPENDIX C\nStatus of Prior Year Notices of Findings and Recommendations \n\n                      and Comparison to\n \n\nCurrent Year Notices of Findings and Recommendations at ICE \n\n\n\n\n\n                                         19\n\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                  Appendix C\n                                   Department of Homeland Security\n                                Immigration and Customs Enforcement\n                               Information Technology Management Letter\n                                          September 30, 2009\n\n\n\n                                                                                  Disposition\nNFR No.          Description                                                Closed         Repeat\n\n                  Weak ICE Network/ADEX Access Controls Exist\n  ICE-IT-08-04                                                                X\n                  ICENet\\ADEX Contingency Plan is not Stored at Offsite\n  ICE-IT-08-09    Locations                                                   X\n                  ICENet\\ADEX Backup Facility Access is not Appropriately\n  ICE-IT-08-10    Secured from Unauthorized Access                            X\n\n\n\n\n                                             20\n    Information Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                                                                        Appendix D\n                               Department of Homeland Security \n\n                            Immigration and Customs Enforcement \n\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n\n                                                                          Office of\'he Auis/tIIlt Secreltlry\n                                                                          U.S. I}tll:ll\'llllcnl of Ilolllcl:ll1t1 Sccuritr\n                                                                          500 121h Slreet. SW\n                                                                          Washinglon. DC 20536\n\n\n                                                                          u.s. Immigration\n                                                                          and Customs\n                                                                          Enforcement\n\n\n\n\n                                                March 18, 2010\n\n\n      MEMORANDUM fOR: Frank Dcffcr\n                      Assistant Inspector General for Information Technology\n                      Office of Inspector General\n\n      fROM:                     Kathy A. Hill   k      r~lO\n                                Dlrector~L~\'\n                               Office of Assurance and Compliance\n\n      SUBJECT:                  Response to the DHS Ollice of Inspcctor General Draft Report:\n                                "Information Technology Managemcnt Lettcr for the FY 2009 ICE\n                                Financial Integrated Audit" daled February 18,2009\n\n     Thank you for the opportunity 10 comment on the above subject draft rcport. The U.S. Immigration\n     and Customs Enforcement (ICE) is committed to ensuring the proper internal controls arc in placc to\n     safeguard critical financial and operational data.\n\n      ICE concurred with all 13 of the recommendations contained in the dran report. Recommendations\n      ICE-IT-09-11 and ICE-IT-09-18 have been assigned to the Office of Professional Responsibility,\n      ICE-IT-09-19 has been assigned to the Office ofl-luman Capital, and the Office orthe Chief\n      Financial Officer will monitor these recommendations. Previously, we requested that these\n      recommendations bc resolved and closed. The remaining 10 recommendations will be resolved by\n      the Office orthc Chief Infonnation Officer. Corrective actions for these 10 recommendations are\n      contained in the Trusted Agent FISMA (TAF).\n\n      Should you have any questions or concerns, please contact Claude Lucas, senior audit portfolio\n      manager at (202) 732-4162 or bye-mail at Claude.Lucas@dhs.gov.\n\n\n\n\n                                         21\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0c                                                                               Appendix E\n                          Department of Homeland Security\n \n\n                       Immigration and Customs Enforcement \n\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n                Report Distribution\n\n                Department of Homeland Security\n\n                Secretary\n                Deputy Secretary\n                General Counsel\n                Chief of Staff\n                Deputy Chief of Staff\n                Executive Secretariat\n                Under Secretary, Management\n                Assistant Secretary, ICE\n                DHS Chief Information Officer\n                DHS Chief Financial Officer\n                Chief Financial Officer, ICE\n                Chief Information Officer, ICE\n                Chief Information Security Officer\n                Assistant Secretary, Policy\n                Assistant Secretary for Public Affairs\n                Assistant Secretary for Legislative Affairs\n                DHS GAO OIG Audit Liaison\n                Chief Information Officer, Audit Liaison\n                ICE Audit Liaison\n\n                Office of Management and Budget\n\n                Chief, Homeland Security Branch\n                DHS OIG Budget Examiner\n\n                Congress\n\n                Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                         22\nInformation Technology Management Letter for the FY 2009 ICE Financial Integrated Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'